From ceeb469086226f835817bb96fca1143e6717c988 Mon Sep 17 00:00:00 2001
From: Chris Kim <oats87g@gmail.com>
Date: Wed, 19 Jul 2023 17:08:17 -0700
Subject: [PATCH 1/2] add rancher-provisioning-capi

Signed-off-by: Chris Kim <oats87g@gmail.com>
---
 ...cher-provisioning-capi-100.0.0+up0.0.1.tgz | Bin 0 -> 3415 bytes
 .../100.0.0+up0.0.1/Chart.yaml                |  21 ++
 .../100.0.0+up0.0.1/templates/NOTES.txt       |   2 +
 .../100.0.0+up0.0.1/templates/_helpers.tpl    |  18 +
 ...sterrole-capi-aggregated-manager-role.yaml |  11 +
 .../clusterrole-capi-manager-role.yaml        | 323 ++++++++++++++++++
 .../templates/clusterrole-cattle.yaml         |  21 ++
 ...rrolebinding-capi-manager-rolebinding.yaml |  14 +
 .../deployment-capi-controller-manager.yaml   | 106 ++++++
 .../100.0.0+up0.0.1/templates/hardened.yaml   |  82 +++++
 .../role-capi-leader-election-role.yaml       |  26 ++
 ...ding-capi-leader-election-rolebinding.yaml |  15 +
 .../service-capi-webhook-service.yaml         |  15 +
 .../serviceaccount-capi-manager.yaml          |   7 +
 .../100.0.0+up0.0.1/values.yaml               |  25 ++
 index.yaml                                    |  26 ++
 .../rancher-provisioning-capi/package.yaml    |   5 +
 release.yaml                                  |   2 +
 18 files changed, 719 insertions(+)
 create mode 100644 assets/rancher-provisioning-capi/rancher-provisioning-capi-100.0.0+up0.0.1.tgz
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/Chart.yaml
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/NOTES.txt
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/_helpers.tpl
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-aggregated-manager-role.yaml
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-manager-role.yaml
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-cattle.yaml
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrolebinding-capi-manager-rolebinding.yaml
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/deployment-capi-controller-manager.yaml
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/hardened.yaml
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/role-capi-leader-election-role.yaml
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/rolebinding-capi-leader-election-rolebinding.yaml
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/service-capi-webhook-service.yaml
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/serviceaccount-capi-manager.yaml
 create mode 100644 charts/rancher-provisioning-capi/100.0.0+up0.0.1/values.yaml
 create mode 100644 packages/rancher-provisioning-capi/package.yaml

diff --git a/assets/rancher-provisioning-capi/rancher-provisioning-capi-100.0.0+up0.0.1.tgz b/assets/rancher-provisioning-capi/rancher-provisioning-capi-100.0.0+up0.0.1.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..a1b8c78f920bb424db20450362be1726ad1b3f13
GIT binary patch
literal 3415
zcmV-d4XE-TiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PH+}Z`(Ms{o9{{(C$NkeU&V`{?R9(57$d`i{7?bBk3-1=q?Ic
z8r!^3q>iNAq*;IWgG5QzPg`*uCk@O$5{slbLvm&~Gn|pY%w2#m1HqR>63z&ln=TGW
z_jG}UvTm?XU);0Uwr!6FgZRH~+vWegVQ=)JHy8}Z!{K1m@4v8nqyD)60@?Qk+@^$5
zVe!JgH>~pHzLSC(;|eRnnRGe`xmaP!=a!3=qF@o;bwMaHBj7nGp_STh9+3gXHzvbA
zIOsz6M3Wp<q0_gM_vn-}B{-!Z&_~ShykWSja0=!UMD(tMPX7N*&+5OjY|}oe?H)mu
z0d~Pby0S{oro52~{My&KbPy#hysm8xK=?#SGwb#8D`6i0D(ibkfIX1rd?_4+gFspy
z1eD+Sz*KkHt9>cu!u*U;-x@d1SO5hqAzAN6F7Duf{GJZF>~(MuWRE>-U=2DRNLP?R
z#Z~b_x!D$(zTP6_azDU|OevtRL@jFfx3l08Dhs6o>2$kuq88!Qa=D+*uA9fMJEeTu
z^)X>xHxe|m8w;IIRHHCqAf(eV5%`!;2e}JDq;*C7zsXQSG-wAQJ@wP53H?I+&bFnH
zJQOa(!`>6gY@2$vZP}LnzhMyl?{yxVo9|wl<^K}X5ad1%fNk=>KeEg6f7l-!<^LfH
z@$noY$uA(_k|-{2G9K#sL<laxGhG@=1;Q+fhYmst&m*}KOA>_Q!6qT46HbYH<DmDm
zbFL-=Brw(K%qgE@njABV#$XZBa`_$1a7fh!%!yPH4u;V|C^`mQMRmtI43iFVdx}fn
zw)$~J(1^(oNO1~6pL=M=1yT!WlzwaZZJ|qmOnOAX1p@^#J^{HayDn!g1WI<Ly8thw
z5jVk-xDlXkB-fOQnP;w{cVp;27k~(x@lFme2Yvpt(_!3$OQ7H?E*x~b>U4hi0Zjzq
zf~cEQilscqJ|HY5nKST^;(2^KLAhtVvK_cq0-v#E3<HaKeE6HlFijtnAg(m0gn1_R
zJn@Ed7t;lo%6V<SwvDvo46q6Xm~*T^zWIpV1z|AZoW7Z1D&gg+rkM-Sa`zHcvEdUB
zIOX%3r1m0YiuiE(?w6$E1O9e%0aE!m2tepc<2#hFPrEeBe+7O(qrL5(|N80d(o)xI
zM;Ke=zug-TO7ed^9=|%u|3j49TlAx)O}$u-tX61&C7J>-M3_{VQt&Kvx&ZeI5hamS
zScMWzZ;%LCL@mx*P9xLIG;wr$i>wQ+rN%?++SLlpL7{+q(s=B-A4@y_|FQrYfRL67
zc2Whm@&9PhFY<ri9*vIr-$Balt%*FC5eCT6n%Ealt72b7qKg^GT&+4$M>0d!@7gTT
zx?F0I*6MKCYk?q4&5-dwvTN)#08k0pgR#a3m{<AT$<HV@*Ud<U%BfsZ4`8Azi1f_7
z8z53{V!Ovl-i<0?HUn2V$T;VhTC0Pong`K%ky2)y{U^lKXoZGMR5^`9QG;B&A@U<V
z?Ebgm|3v#2oPu_x;Q3rYr1yELj%-GaO}64T{vW)0RpS3~Z(tw!{}3hJO2XMis7<nD
zyDvD+3=gR-FcbM$xr+~Y3N)#TO7enrZC<^O2|1$=Q}L8S9AqdFf>H2Di79q19I6Eu
z<Xen{l?<`$b*>2W9CW(IrsIRc9#%L4O>;<85J;SG!a+I9HFFtlqT!ARDQMH{vA5<R
zWhee`!}Phbng4tJ!MNoA=@0GU@%%qXIRrOu6bHNVZw=GNo(UX~p9K$tOg@>~m4uLh
z%mbXZWY&s|tCk?9xz;(T>^CKH{qQxCf=$q{=W!;j@|>DbIQi+M4z?=*E65%_ppbiP
z#4JcK(@$aG<p<d(+Nn%PTR_R~j4({eHxP1TH*G;~TkwXN)Z-oyxK_X-GM3gB#6zjL
zpEkrA8i}>S{ZYV_b0w9)LH%mRSZFU}Krw^nUWCmAmP&-K3PnS|CrnZ;*5Ny!;T^ff
zrC7>(S@S)iUafA)(~pDt9yxm_$oYy5GIG-*K6UDN9+UC)9me|l<XNC!-&7{Vr^B`P
znnpvf@0S=CfT>!z3vjQV2mTFh8#c1g?MWUq38De#w1RzHxnXv?{re@*%7ive_L)tz
zc`|LW-z$Ppe_$OJc&YBmpEGR{FE>9SLT>hNxSY+%+{eLv7Jo<BuxzP8JuDiGdr!pT
zYQ|B5D;k)0FIa9wiv-wjZFrLad!7I(U5bgnM{y%`_)lv@GJlUIaoO1LKpMki`)&7C
z?(YAOZ%gkK6}s*IZ(Q;Jzp@9zqyPU9Wl#Qp?U*kRk+@2!#f;f__bY;0?>_o$h$~n}
z#2bH>L<Rb6{FGE`zE3Jl)7;k`WW%fzHR0iBpF-MU71I5`BmYkc^RkSJ{1r^nP%9X=
z@&9l*D&PN)2gm!rgOuGl;qQ9K_j)N`Ls6aR_XW(NK~wtQfNBS!D$lmM_?O}I-{7i*
z)$|~jAeO|1x30@WruBm=wpn$Ofn+pAK0d|h<u?4k_N18&A@ZB`fi3($>JP^y{vY-F
zy(9l0qU8A>2Z3C(`nzn`@6X~Wz3?>S8&3ySNvO!AjqTfcOa|a42`!YkSURZJK`4#8
z(}>rEG2LM<?PinmPXaNwgi)c}VyHHOZ-)Rv=~AR`q<MAeC?;~b?_=hzt8{fYKZ-8E
zmgQc0zb3!F`*QyF<Jslp?de&eM-of<55aw>)PT^80QC~NUfVXoYT;z-W@Ved5s8O|
z-w67*_wODKa!9;#^lh5HgW}*<r1-zEPphqeA;LUh3ibLZ7bd$}<sesbwqn*wMv5D)
zQkR&^)&o$o1O`%01fN22P79@ipFx!;8pQMKYQO%saw8YYLDe?B*j2iW`pYt9X2d>;
zNBh6Q;8h8X9_}kl7o1<262!7FYCN*wio2XT=+o(BD*(F|K*JmxMiziQveQ~dZ{D<B
zN(pWl=Y(;l;JP#<rj&o32(ly;=5QumOtDT5jx(?deO(;jDWOCWkY&U?!GkJ=o9OL_
z51ry#B%r)H2qI)}Wuo(qhQn9=YU^(@5|ZV{C8wbeA0xG`LLGiotC_5;{GfaFTAD>l
z=tloyO$bEh9!^VgOo33PhG-LhW%R~Dk>ytAF$bMQteTt(8=~zkv|3eoaGm^!Rx78{
ztneJIRwp@_X;NQ);-*OfdmzmCFszXr(Mx5ip<iyKnRpM*IlJIol_oC1b-5o*1fLOF
zAZK+GfP<2hza;8E1C&>}&+E1A=yVl6VKHU?EU*g`5QKY|;Bw|gM}EqVnhpwQUhV#A
z7i@9CbX^XGJdqF=%-k5IG|gK?m`g*iDfr()e<7AE^Xv60m&AO2(0Wl{=#gz)X~cre
zFC>^Y;91C($fG)HL^YpJTZ?JFLxyN+yg1Jzt1+|8i*@2fwm)(1MvQD6gj`Id$Vb;@
zZ=`u0>#)-{AdD?Av<9|55A#_e*F-A02T(qa^uIg7FwXheHMpV5p|%+aDA#KNqC!t4
zI;i9uuY1;|BH!LNzPQ#haxfp;TzYn;js3sC!UG20uHS;#V*d{Yb~*pY9*@UI`~MIn
zZ~sptt9b1I_$Qy%c)J@3#*A;xOo@w@dXu4EawXs(XgPN2i$w?-3!uIw7v1P=HXIai
zsmvsI`K5jegSo&SRJ)t{Le&gn%f@h!KHo#v1@ORoiKZ~)0?fENzKbQCWiE!zCjK4P
z3)Of8+OJ5_(63XVS|hQGnwQhUd$ye_UIHS<QmIvW4r>EzKf2Pr6q(#O^^TF`YA0D8
za|0EpB~kL*>G(ft9skEtHf)kdU)A=TI%>UtlR3ZP<sfg;=f+5#Lg=%RbTwWgBVLQ>
zM?zp&6IfJ}%rE+B2GQT!KMWiy9vfOkANnVL1?&$avGrET)l@?9k;#HS8zzg#X!7vs
zE4;m5<F(?ET}0Nd$w|d^mW4aKlR2o9m*^x0a&q5G&AO|chhCKZ-RiV}cBi|Ymcp{l
z8CTwxZ1GFLpWHE9Mx25A%Ec97^9miE>n1HoYG#rM2QzjoMSoi&o}OtzWY*`te}oWW
za{)5TNsjBFTBXnQPd5Q%_3!nY$<vvBcx)ByQA->Bf1UW7cOMbXS|$K*jsNKlD*3<1
z?|&Yq-0{%Zdm4TnMYX=_+x28^5t>>bTFkld60hTyG}9Q}-QpurUEpUa2(cKUm_&u{
zvj1)QzYzFSw`m&!fVT1fs5h*{|BQ~`|2Rn5f&U*O@Mi->wU-9Fsg%_Sp<0>rOv8iP
z@PBsQQF8~<#wWNv{;wSWI~a|R{C|+L$vW99hnMK4HCNX-{1|{|;`sJ0_eE@dTW2<d
z)Yo-uvm%QdFq50|b(Da@Vh&2*?N?$1ilIa;*W$7FxvAWN{}V?<A@;Y`mB2Rs?++^c
tKO7$Y{|6~|^-k<5!nZa1Klb_@%ds5Gu{_uE-v9sr|Nj<f_Z|Rf000was~G?Q

literal 0
HcmV?d00001

diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/Chart.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/Chart.yaml
new file mode 100644
index 0000000000..587d76d00a
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/Chart.yaml
@@ -0,0 +1,21 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/display-name: Rancher Provisioning CAPI Controller Manager
+  catalog.cattle.io/kube-version: '>=1.23.0-0'
+  catalog.cattle.io/namespace: cattle-provisioning-capi-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/provides-gvr: apps.deployment/v1
+  catalog.cattle.io/rancher-version: '>= 2.7.0-0'
+  catalog.cattle.io/release-name: rancher-provisioning-capi
+apiVersion: v1
+appVersion: 1.4.4
+description: capi-controller-manager compatible with Rancher Provisioning
+home: https://github.com/rancher/provisioning/blob/main/charts/capi/
+maintainers:
+- email: chris.kim@suse.com
+  name: Chris Kim
+name: rancher-provisioning-capi
+sources:
+- https://github.com/rancher/provisioning/blob/main/charts/capi/
+version: 100.0.0+up0.0.1
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/NOTES.txt b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/NOTES.txt
new file mode 100644
index 0000000000..2070555e03
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/NOTES.txt
@@ -0,0 +1,2 @@
+{{ $.Chart.Name }} has been installed. Check its status by running:
+  kubectl --namespace {{ .Release.Namespace }} get pods"
\ No newline at end of file
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/_helpers.tpl b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/_helpers.tpl
new file mode 100644
index 0000000000..d46154c543
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/_helpers.tpl
@@ -0,0 +1,18 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-aggregated-manager-role.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-aggregated-manager-role.yaml
new file mode 100644
index 0000000000..760c5f9a63
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-aggregated-manager-role.yaml
@@ -0,0 +1,11 @@
+aggregationRule:
+  clusterRoleSelectors:
+    - matchLabels:
+        cluster.x-k8s.io/aggregate-to-manager: "true"
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: capi-aggregated-manager-role
+rules: []
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-manager-role.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-manager-role.yaml
new file mode 100644
index 0000000000..d3d02e51a0
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-manager-role.yaml
@@ -0,0 +1,323 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    cluster.x-k8s.io/aggregate-to-manager: "true"
+    cluster.x-k8s.io/provider: cluster-api
+  name: capi-manager-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - addons.cluster.x-k8s.io
+    resources:
+      - '*'
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - addons.cluster.x-k8s.io
+    resources:
+      - clusterresourcesets/finalizers
+      - clusterresourcesets/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - bootstrap.cluster.x-k8s.io
+      - controlplane.cluster.x-k8s.io
+      - infrastructure.cluster.x-k8s.io
+    resources:
+      - '*'
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - bootstrap.cluster.x-k8s.io
+      - infrastructure.cluster.x-k8s.io
+    resources:
+      - '*'
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - clusterclasses
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - clusterclasses
+      - clusterclasses/status
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - clusters
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - clusters
+      - clusters/finalizers
+      - clusters/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - clusters
+      - clusters/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - machinedeployments
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - machinedeployments
+      - machinedeployments/finalizers
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - machinedeployments
+      - machinedeployments/finalizers
+      - machinedeployments/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - machinehealthchecks
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - machinehealthchecks
+      - machinehealthchecks/finalizers
+      - machinehealthchecks/status
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - machinepools
+      - machinepools/finalizers
+      - machinepools/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - machines
+      - machines/finalizers
+      - machines/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - machines
+      - machines/status
+    verbs:
+      - delete
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - machinesets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - machinesets
+      - machinesets/finalizers
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - cluster.x-k8s.io
+    resources:
+      - machinesets
+      - machinesets/finalizers
+      - machinesets/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - patch
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - get
+      - list
+      - patch
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - watch
+  - apiGroups:
+      - ipam.cluster.x-k8s.io
+    resources:
+      - ipaddressclaims
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - runtime.cluster.x-k8s.io
+    resources:
+      - extensionconfigs
+      - extensionconfigs/status
+    verbs:
+      - get
+      - list
+      - patch
+      - update
+      - watch
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-cattle.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-cattle.yaml
new file mode 100644
index 0000000000..5beeafddab
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-cattle.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: provisioning-rke-cattle-io
+  labels:
+    cluster.x-k8s.io/aggregate-to-manager: "true"
+rules:
+  - apiGroups: ["rke.cattle.io"]
+    resources: ["*"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: provisioning-rke-machine-cattle-io
+  labels:
+    cluster.x-k8s.io/aggregate-to-manager: "true"
+rules:
+  - apiGroups: ["rke-machine.cattle.io"]
+    resources: ["*"]
+    verbs: ["*"]
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrolebinding-capi-manager-rolebinding.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrolebinding-capi-manager-rolebinding.yaml
new file mode 100644
index 0000000000..2fb193d4ac
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrolebinding-capi-manager-rolebinding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: capi-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: capi-aggregated-manager-role
+subjects:
+  - kind: ServiceAccount
+    name: capi-manager
+    namespace: "{{ .Release.Namespace }}"
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/deployment-capi-controller-manager.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/deployment-capi-controller-manager.yaml
new file mode 100644
index 0000000000..edfd66fd71
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/deployment-capi-controller-manager.yaml
@@ -0,0 +1,106 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+    control-plane: controller-manager
+  name: capi-controller-manager
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      cluster.x-k8s.io/provider: cluster-api
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        cluster.x-k8s.io/provider: cluster-api
+        control-plane: controller-manager
+    spec:
+      containers:
+        - command:
+            - /manager
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: POD_UID
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.uid
+{{- if .Values.extraEnv }}
+{{ toYaml .Values.extraEnv | indent 12 }}
+{{- end }}
+          imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: healthz
+          name: manager
+          ports:
+            - containerPort: 9443
+              name: webhook-server
+              protocol: TCP
+            - containerPort: 9440
+              name: healthz
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: healthz
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            runAsGroup: 65532
+            runAsUser: 65532
+          volumeMounts:
+            - mountPath: /tmp/k8s-webhook-server/serving-certs
+              name: cert
+              readOnly: true
+          image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
+          args:
+            - --leader-elect
+{{ toYaml .Values.args | indent 12 }}
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: capi-manager
+      terminationGracePeriodSeconds: 10
+      volumes:
+        - name: cert
+          secret:
+            secretName: capi-webhook-service-cert
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+      {{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 6 }}
+      {{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 6 }}
+      {{- else }}
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/controlplane
+        value: "true"
+      - effect: NoSchedule
+        key: "node-role.kubernetes.io/control-plane"
+        operator: "Exists"
+      - effect: NoSchedule
+        key: "node-role.kubernetes.io/master"
+        operator: "Exists"
+      - effect: "NoExecute"
+        key: "node-role.kubernetes.io/etcd"
+        operator: "Exists"
+      {{- end }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: "{{.Values.priorityClassName}}"
+      {{- end }}
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/hardened.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/hardened.yaml
new file mode 100644
index 0000000000..933dfb86a7
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/hardened.yaml
@@ -0,0 +1,82 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rancher-provisioning-capi-patch-sa
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: rancher-provisioning-capi-patch-sa
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  template:
+    metadata:
+      name: rancher-provisioning-capi-patch-sa
+      labels:
+        app: rancher-provisioning-capi-patch-sa
+    spec:
+      serviceAccountName: rancher-provisioning-capi-patch-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      restartPolicy: Never
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+      containers:
+        - name: patch-sa-{{ .Release.Namespace }}
+          image: {{ template "system_default_registry" $ }}{{ $.Values.global.kubectl.repository }}:{{ $.Values.global.kubectl.tag }}
+          imagePullPolicy: {{ $.Values.global.kubectl.pullPolicy }}
+          command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+          args: ["-n", "{{ .Release.Namespace }}"]
+---
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: rancher-provisioning-capi-patch-sa
+  labels:
+    app: rancher-provisioning-capi-patch-sa
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs: ['get', 'patch']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: rancher-provisioning-capi-patch-sa
+  labels:
+    app: rancher-provisioning-capi-patch-sa
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: rancher-provisioning-capi-patch-sa
+subjects:
+  - kind: ServiceAccount
+    name: rancher-provisioning-capi-patch-sa
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-provisioning-capi-patch-sa
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: rancher-provisioning-capi-patch-sa
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-allow-all
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  ingress:
+    - {}
+  egress:
+    - {}
+  policyTypes:
+    - Ingress
+    - Egress
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/role-capi-leader-election-role.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/role-capi-leader-election-role.yaml
new file mode 100644
index 0000000000..d1b53aafc5
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/role-capi-leader-election-role.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: capi-leader-election-role
+  namespace: "{{ .Release.Namespace }}"
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/rolebinding-capi-leader-election-rolebinding.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/rolebinding-capi-leader-election-rolebinding.yaml
new file mode 100644
index 0000000000..28c91de659
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/rolebinding-capi-leader-election-rolebinding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: capi-leader-election-rolebinding
+  namespace: "{{ .Release.Namespace }}"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: capi-leader-election-role
+subjects:
+  - kind: ServiceAccount
+    name: capi-manager
+    namespace: "{{ .Release.Namespace }}"
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/service-capi-webhook-service.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/service-capi-webhook-service.yaml
new file mode 100644
index 0000000000..109b368d4b
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/service-capi-webhook-service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: capi-webhook-service
+  namespace: "{{ .Release.Namespace }}"
+  annotations:
+    need-a-cert.cattle.io/secret-name: capi-webhook-service-cert
+spec:
+  ports:
+    - port: 443
+      targetPort: webhook-server
+  selector:
+    cluster.x-k8s.io/provider: cluster-api
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/serviceaccount-capi-manager.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/serviceaccount-capi-manager.yaml
new file mode 100644
index 0000000000..afba516203
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/serviceaccount-capi-manager.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    cluster.x-k8s.io/provider: cluster-api
+  name: capi-manager
+  namespace: "{{ .Release.Namespace }}"
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/values.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/values.yaml
new file mode 100644
index 0000000000..0be412e186
--- /dev/null
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/values.yaml
@@ -0,0 +1,25 @@
+image:
+  repository: rancher/mirrored-cluster-api-controller
+  tag: v1.4.4
+  imagePullPolicy: IfNotPresent
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  kubectl:
+    repository: rancher/kubectl
+    tag: v1.20.2
+    pullPolicy: IfNotPresent
+
+# tolerations for the capi-controller-manager deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info
+tolerations: []
+
+nodeSelector: {}
+
+## PriorityClassName assigned to deployment.
+priorityClassName: ""
+
+extraEnv: []
+args:
+  - "--metrics-bind-addr=localhost:8080"
+  - "--feature-gates=MachinePool=false,ClusterResourceSet=false,ClusterTopology=false,RuntimeSDK=false,LazyRestmapper=false"
diff --git a/index.yaml b/index.yaml
index c5f7382bc4..0a1a7f88ac 100755
--- a/index.yaml
+++ b/index.yaml
@@ -13544,6 +13544,32 @@ entries:
     urls:
     - assets/rancher-prometheus-adapter/rancher-prometheus-adapter-2.12.101.tgz
     version: 2.12.101
+  rancher-provisioning-capi:
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/display-name: Rancher Provisioning CAPI Controller Manager
+      catalog.cattle.io/kube-version: '>=1.23.0-0'
+      catalog.cattle.io/namespace: cattle-provisioning-capi-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/provides-gvr: apps.deployment/v1
+      catalog.cattle.io/rancher-version: '>= 2.7.0-0'
+      catalog.cattle.io/release-name: rancher-provisioning-capi
+    apiVersion: v1
+    appVersion: 1.4.4
+    created: "2023-07-24T13:05:39.150204-07:00"
+    description: capi-controller-manager compatible with Rancher Provisioning
+    digest: a750fa212369dbe092f1d5731ac568d160d14844c7e392a55e61b4e757e0821c
+    home: https://github.com/rancher/provisioning/blob/main/charts/capi/
+    maintainers:
+    - email: chris.kim@suse.com
+      name: Chris Kim
+    name: rancher-provisioning-capi
+    sources:
+    - https://github.com/rancher/provisioning/blob/main/charts/capi/
+    urls:
+    - assets/rancher-provisioning-capi/rancher-provisioning-capi-100.0.0+up0.0.1.tgz
+    version: 100.0.0+up0.0.1
   rancher-pushprox:
   - annotations:
       catalog.cattle.io/hidden: "true"
diff --git a/packages/rancher-provisioning-capi/package.yaml b/packages/rancher-provisioning-capi/package.yaml
new file mode 100644
index 0000000000..40d9afaf11
--- /dev/null
+++ b/packages/rancher-provisioning-capi/package.yaml
@@ -0,0 +1,5 @@
+url: https://github.com/rancher/provisioning.git
+commit: ddba2c23cd70016f002448fd801d96aa9375782e
+subdirectory: charts/capi
+version: 100.0.0
+
diff --git a/release.yaml b/release.yaml
index b1964716fb..b330229016 100644
--- a/release.yaml
+++ b/release.yaml
@@ -50,5 +50,7 @@ rancher-monitoring-crd:
 - 102.0.2+up40.1.2
 rancher-project-monitoring:
 - 0.3.0+up0.3.3
+rancher-provisioning-capi:
+- 100.0.0+up0.0.1
 rancher-webhook:
 - 2.0.6+up0.3.6-rc2

From 2f2619e49090e6213697abaa98a1b8ecd80ab442 Mon Sep 17 00:00:00 2001
From: Chris Kim <oats87g@gmail.com>
Date: Tue, 25 Jul 2023 13:26:50 -0700
Subject: [PATCH 2/2] make charts

Signed-off-by: Chris Kim <oats87g@gmail.com>
---
 ...cher-provisioning-capi-100.0.0+up0.0.1.tgz | Bin 3415 -> 3419 bytes
 .../100.0.0+up0.0.1/Chart.yaml                |   1 +
 .../100.0.0+up0.0.1/templates/hardened.yaml   |   1 -
 index.yaml                                    |   5 +++--
 4 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/assets/rancher-provisioning-capi/rancher-provisioning-capi-100.0.0+up0.0.1.tgz b/assets/rancher-provisioning-capi/rancher-provisioning-capi-100.0.0+up0.0.1.tgz
index a1b8c78f920bb424db20450362be1726ad1b3f13..3a408e613d38e1b5668547a68f8ca4cbc2e8d615 100644
GIT binary patch
delta 3356
zcmV+%4de3H8rvF>MGEllLx6piEIW?Vkxw6gNJ-XDTX7sGEzCa>i=;S1a%MO)oRPrH
zn}e`I!52gl&Ip@X9u7(GY>tJpZ*f3hJg_*9<BWzw{oiq%^8fzHsQ;or9F81kI2<}B
zFP#2paB}hjIS&QgrbJR<@xpm9tn%c(k%AfH3M;~ybUO%nSYgU%wuhCXU=!Z+KqxYQ
zCE&X#p_SThK9M2Cw-&<zxaiXKMB^M)p|dyRcj$~WB{-!Z&<D)$tYNr0@qJ(}>M9XI
zx3<f5Gy!V?A|BpFNB{r2Zx4=b$8wHpyT^#h5PRSvQ&}Z>OWsNaLG9~Yx`+}M-PE>*
zAOfPKmGyf0g)pCgk@dY}z&=Q8wh%6V!eJ<FA41A+17NDR=-0lKGHQOtXkec<&sYEj
zEFsyFMn>=8ko=wwy6AUs7-o-sduR_kK1ffHQ0XeYP+qo+R$z7!c{~WQA`=Se3sLi0
z66nl%jLKZ8P`bU|jHr1uu{|E7v+L!t>rE)1^a4y+&x>V|>}k2wiE9)l41{!lI~IZf
z6Y3&wE{L?RN$@urNr(sSAY`U~7B`_^NYL4|6p}~613l~mk<7NK?>M$&JO3Mn@&A73
zsTsahn&tlj(+K1)4uDPae=u^&^8ds+J;?uk6cXSW#FAe?$R$x++-3~Y3y2V0fNyy;
zk_v=X<oymp3eRGpp~VD3da!YSMCq7Q;@!IF-SmR1u>c87bviT3CzvM3jG`JWLPqGm
zg(;4xx`Y{#D#oE3OZ`~Jdy1Nlbr>ccbbE@+z_ACqB5cIu2c$R!Va`1?<pQZWG>W#B
zaJJDEKqeYu;DUhysZT)e$)3lV2ceQZ>CM59Xv|HpAYKfp7Yi+AVdh(ZE9gB9J>UWm
zVN>48;pL)Fe|9>I`)~ymJjI2J?v|a-4?m!>AY2f2dq%O87dQZfr6e;3K2ki7ZznAG
z)GOP88zt~LTWA<q%=F=Jp{`{Gpak)xH6hHmu<wi4lzW)Yxm4~e=ath<J5B+sNPsoN
z3gqh#*qajuW6tU8DW(#CUY;46xdbCruRs+WKJt)LKD$k7FC(T%09S8+Nh;psueX;V
zRe-|~gsJR4H}Uz+muC5|AP8x^x4nyBKb~LN>PBq|V}ty6`lrK^{69TC86D*RKFZx4
z`q4I~o|YraC7NT2CIAc(CKaX>d>ft3!MjF8NhB3kkwlYQBqA1nQ;WNj)5x+iH5=XC
zA^Xy(pn7OiyIi6fC=_yEcAt9ghtiJ!KhJ@NAf&CrtyIBH{688Fiu^xtM#F>tx0iBv
zXCWV^gaPUrP3*I8RI$$@(Z#yRS}r?rM>0kB@5U@Jx?E~)*6MKCYoQ=aO;PuMWUsr`
z06-;V58V|$!2HU8?@oS3+7`EB6)LB4Ni%?jt|8Vl^EQ60+-SSUP2P<wU^)d)xu|==
zuZ&iwJrX>O$BUJ+?)iTrOuMbnkcld1a42e!D<4CCq{rR=HvFGx|AJF6eiA&J35fMR
zKh=?~xUtDr+{FLG<Kq(lpY{jG2maqjNw<=4b{QFyEZOdVOHMPxLmCUrLIGCZ{5_rk
zO{(IOykOs0*RM1oXY^qyo>EBW%gei)!~}abj?|nB@>L^YCqpdyoom8;7oDxJ=>(v#
zj}?wV(;N~N1QHLMa8b^3&HO>@Xt*OH3dZz$>aE#J*^2+$FnzA9=l}j-cv|xR3{ITm
z!}-6LvJY;5Tq_Q?<=+~n)t(6)lAi^S!c0C{#+8JSfXuy{wq(|d)Kv=*lU(ZzRQ8(^
zxqA2#OTi{+*!MY;c6m-sC>;HCR0rD=fE8qqK2XR#Hewbgn3<<2^z(!4675tbq%ELi
zZ%P=Z<SPidwwtjaH!XO>OzLqD3EU`PF&RsH1LBc?R6Ix<w1!5sR=7I~m~gJ75;&}1
zO^t=|GKLg0XzoSWRA8w@<f%wB^n1o6)nXmK@fqHeTRe)Ttd}+466)3JmOTA5sPB-o
zw}PCnSR*6XE#h;hj_+eKfw{w2U7vgx=+`%u3Gw-G?SrP#(CgbJ#yMcB=H48<>+b{q
zhPE|-8(HY~EDxFl(U5am!CqIcnVo6>b_ujHp>>n}&L-MCnYP&P6hWvzu=WeQRQK%9
znYM_Ro1YOOH~Tj{&ZcA*;P4@fza?x~wA7#;7Y)Y!XJT<R<0!!s4a~a}EZ3q%LL9U<
zyh(_CUx1Vz#U$9FxDh7&r!^v(zsHccY;1UcB#q&z{kFR*_xJzn+tPbQg>Jh4JFWQt
zkDX)Z;Q!x8*^&R>IOYpPB(76xu{0ZRe??I1-AA9g;u==r?%h92q5^&D{*+W2zE3JF
z%i7f)WW%fzHR17RpF-MV71I5`C;v|f^Rsk`{1r^nP%9WV@&C!msC@r_Iyl__?WJsg
z&k27wJHFFP`5KDq#J?|L8V{P%{~A;~2vvEu)y2PzCjSOcC9Gx!xdO2u9=!299x<aI
zRI$yflk}o)Q{>}wj9zZT|0_?L)es`TULV-N|D(alX^H<weP?*!|9zA^|Kl)}D^`D-
z?fS!69HkeYmcH?HQI&*>OxoDKna5;*2wsxVLWzf^i~1de(zrW=cug47J?7GGHYxuk
z5OYfy7rH5iY907?2q2U$MfygXG?$KIA&&<EX8x+mRQK|um;!83?q&9C{OjA#7jHhC
zUya|Kofmo}v6TN1Ja9`52u%r4KauOTZDXwFZnkcAw)tz3cwG36pnrS!_VFNpN5n5j
z-=^t1NC&?n#s7r^T5bIc5#|F^s6RltFxllY2f327rCBQ(NjKW1E}F|$15mO622zd%
zpFnX=bEU$cL6s*O>iPAIU;k^lkqhObYMWW?DqY6?WtlQFVjt_#{%<%uE`c$_eSyiG
z^J`0jSQJLpBMYv$$Ek}xo{cwu0&r>pG|aJKWC7SGTdigM=55=hl;A}=CyX-%H>Dvl
zrToiSkOiSIgLCO&icRLP&cG`4^>BzMgc3zSmJ#y>533Yzp*Qc}cZzF~fb#1gh={$B
ziOx4VIXNCwTYr<WkSsSYIE@1M5UXt!>ImXm!(=@bguUxm(kfCyFaD>0H6ak0dpIr0
zF$F@E8sbg(mC;)l#g<!{$6Rz2vubiGtckX_(Q;Yg!Bz4jS}xs6v%)j9Tps0Mrb&JI
ziCY#0?1QlMVOS$M;+M)&!@S%`GkOm$IJ@Lrl_oC1^LP-B1)maHAZK+Of{T)rza;8E
z1C&>}FY2}J_;eKkVVW|3e-_w-F$lu_EATk;<0C(1M?(jNGp~04j0?87V5TmILY_#7
z2Uc#3Qkv!+BFv+a-xU0BqrVVKmig6cl}lniKWM$EFZ9SZt~6pn<`)u78}KaTO5{-;
zHKLl&r>(^_-yuV^G@j1$$ZD)C^J0~Fk?oJp-O$MDAmm~qMLxQJE_)-*>sW=IwgJ)I
z0K;fttMf3Q6>>wQk~;tu;8_2=7mV%&KfeJlQaRMt0|DjvEkIQ0sYC~reB)Kmx>V%5
zyT%t+T1F1$Q=3cQU1?+g&#~}<fxqpyAU4?l!{gJk{qLNf9_;_Ul)U{viLK(51K^*0
zQseDzBp6HInpqNm7cKQBL%rlmz+u>O?9vyD5bDl>2DY5{;<LHyqL52vCArHl%~KT4
z1oolY-7*)dR;VqTu8Yk19(f*s5B^IufhiYY>1ur!OE}A14C_t&d#o3#@d&hEk)okr
zr$DtvVjDFtr-k<&Csn)z#Ehj<tMUR?2G(wLr3Wc8xpC@$9V5xrPO>`I8Y)gpqU5*J
z@qaWr{*R?>*d&j>s_i#*G<yF!bAHXsVcw+AjgdNq(5G(Fwfhov^;*O~5(2}9z~Y)@
ze(_H$jQ`&K(Z!MC+R!Tc&_D8PV1INITW^_MO(hf`n=I&4*J65%CJ)~uT;a9ik8Q-&
zwuwo_HI{{c`@5qVsH2zYNCP=~=xWqm<2?4F?CwUV1+;tJ>$DV<ZO*sywq%Q60{-ld
z*fQb_)E6$U37b{u=)yD^AyPAwL@-#|sTBWhiFkURg|SJW`}Pq+gv|uVEFW3dLAA=9
z=O1rF$m-vjH<PDx^YGN_*OQkv`u{5NH}5_ooV84U0Nxn?(;rsye-GdP+)ugZ!Ljo+
z{5pziebu+^>DnSRwLY|%bKxgm#|>$w8r|*UBT-%8XDJA=7@?R%g>JL|ZTY_t_*1uO
zYXX2a@&BlQQi=Z=9=`vvm$C)_KStos8j5N!4YpG&s}VxAGU+=F4{F2z*>y+F9Y`CW
z;O6*$zjFNVaCCCu|GkuT7RpXJyhJyxxw^*T#{hf_>)W^7=dR6doz)D|T-U8ki!5%y
zN^Z(mQ348!87OnNUx^VYh7z@0i>Kb_rg9JdPn;2j*xy!H0-N}MFs$(Z$#8Js|9zDE
mdMI`j;oF-1pL%@`<xmdgP`=ml-v9sr|Nr#|IdW0}XaE2ShmY<6

delta 3352
zcmV+z4d?RP8rK?-MGDaFLx6piEW7^Ekxw6gL`l|9TX7sG4a`3hi=;S1a%MO)oRPrH
zU4SqH!Iwl5&Ip^EE)Gcdbb*DkZm>^Z+_TuWZI1?n_`hx2<^R25Z}g%!7!1e5;b7G7
zzp#6w{<!}F+4lw9ri4;q@xs10tn%c(lY$xJ3M;~ybUFyRSYgWNmW!35U=iMRK`1hR
zBj7nGp_STh9+3gXHzvbAIOsz6M3Wp<q0_gM_vn-}B{-!Z&_~ShykWSja0=!UMD(tM
zPX7N*&+5OjY|}oe?H)mu0d~Pby0S{oro52~{My&KbPy#hysm8xK=?#SGwb#8D`6i0
zD(ibkfIX1rd?_4+gFspy1eD+Sz*KjC*{gji<-+`oQQsOj&sYEjEFoF%MlSB)fc%~g
zy6kmu5M+-%YhVpJ9!OV^K*d$@Lb=%%nZDj4<Z?g2icBe>uS6|s_qVg)5h@F%0_k+S
zbD|dE)N;9>&aRust~;fC+VwGET{jXmvKtGXPE?~XVIZW_F%kHfPzSjSL8NtmMf|_X
zP(n0l2O&N6)2IpkLj2CQrI0)nF2uv$6Ul6wdbVxZmi@nB5dH6U9-Eu*UYh0q64Mam
zJ`R9w^1nZ_%kqEN9~|ZXAqw&F93sgtAmEZHE^aa&>iR?oF2FNg8cGGiEQ*H?LJH3#
zxe`kfgyO*_A*B;eiF@Oq_p@_<t|kH`FxBbIDW77R95af>U=h-C`5nw~NYw?*iBu5|
zhS5PNItE-tb;mjklMZovic8<N`f)|jh{+E~aSB48duYZ5QVVF5erx${p-X^FdPKkl
z0|hcZ0l6!?E@v(TN_M5Y057BwH^Gv)5uk1)*OZBwXRe`lW9U8?fC!s^@lFme2Yvpt
z(_!3$OQ7H?E*x~b>U4hi0Zjzqf~cEQilscqJ|HY5nKST^;(2^KLAhtVvK_cq0-v#E
z3<HaKeE6HlFijtnAg(m0gn1_RJn@Ed7t;lo%6V<SwvDvo46q6Xm~*T^zWIpV1z|AZ
zoW7Z1D&gg+rkM-Sa`zH{RI%X`4>;xXo22$4WQzE3`R<pb;sgG6a{*HMI0!)KO5;0}
zuur=*%YOxaK%>3wp8xvk?9x)#YDXAb<iFh;4@&ZXJRZL~%Kt-@+gtRbrA@t9j;vN_
zfhC#(FhrPCm{Ra8bh-fd3K1odR9J-)O>dA0Swt<)T23R=%rtR-bbE`e3$3NbL+jer
z3e7>GfP2z-?71IHJO2N&02+XhmI`)K1-J44XwWb6f8QRBj{4t0%I&R*JeUy%$k3YD
z7f-8VUqqsd8OU6%I#EY5L)P!wEYP}KYLM3IaM^2tAWY4W@jtR_>@)yS3E6|O#s`>J
z`Q6FSC^py4NQKIOsa#SIV4^FC^vt{)AX08(yT?i1jVfR^16Mi7IOmsItAnVT2hn(u
zQf8d}C&bifg@#O2IgLY6gIv2I@*_R${<q=(MEe(<f_A0g`CLGx_j##~Y(|Yuw&FJa
zAG~^1;{S1PU?2Ja5GCD8!r4WrO|oRWFF4H%52-CM6Zu$wxr+~Y3N)#TO7enrZC<^O
z2|1$=Q}L8S9AqdFf>H2Di79q19I6Eu<Xen{l?<`$b*>2W9CW(IrsIRc9#%L4O>;<8
z5J;SG!a+I9HFFtlqT!ARDQMH{vA5<RWhee`!}Phbng4tJ!MNoA=@0GU@%%qXIRrOu
z6bHNVZw=Fb#-0frke>w)gG@e|+LeTmfXoA&wq(|djH{L)rn%NRsO&c-a{cf%l7dap
zu;+0mt@50jP&oPNqz<+#04vBIJ)n?#Y{V=`Fw;+A;N=I|C)%k@NLxV3?u;-@$u|&k
zV>fL<Zd>q%nbhMR5V%&rA~KfN7Q{oTxSuw}8XAdzwZi>Tz?5?(mB2y$YQ|V-FJnM4
zgXUg@%><T8gsuujL%%0XQZ3fuJD=elxy7Ye%6eJzJ)vH$ZpqV+gZdshdnd^GiVZSy
z(;_}~>UbWL@%0_X`ugNqpkLoqCd8-1wfCAvL$B|b7#D!4TDS{vubv0~4Q(4Xve4~G
z9yAGmq5<c$f_+@MVRpLx`z6rIgf>m~nN75LGHtQnD}qpeU>z2CsqV?2Gi?zsH$Ndl
zZuW1uoXyDG$H9FTe@ED`Y^gy#EE<e^PsHMC#!-SR8kl!4SZ+j%1lVtFc#{Boo&YIb
ziiy8RaU*p2PisUne~%_{+1T(v8pC7zZTD4w?(YAOZ%gkK6}s*IZ(Q;Jzp@9zqyPU9
zWl#Qp?U*kRk+@2!#f;f__bY;0?>_o$h$~n}#2bH>L<Rb6{FGE`zE3Jl)7;k`WW%fz
zHR0iBpF-MU71I5`BmYkc^RkSJ{1r^nP%9X=@&9l*D&PN)2gm!rgOuGl;qQ9K_j)OR
zUqexy==TN8qCr#o-+*cdp(@X|y7-sj^xxpBgw^yQmmrqJg}1KDL#FkEDz;g5l7VD2
zMLs^o=;b#2zxJe=4I%QI^?@z?Kk5(1CH^1v`n@CnAEM;>9|wV4v--Pi*YD5bD82AB
z;~P&0RY|DGq>b&{c}xc2CJ8N+xL7)WsMkR#jl0u`*Mu?MVJ_`vlk!gjF}H+Kq1$4p
zHi2)407B_fq;I5ob?GQ3a=Gtg=B=xAbvHkXF2I)MUV6VKzrOo&{`TY9<>c+@S)oS~
zOZgAMeW%ob(2M}}61iU6Ho<D)Wb0;So4*l>hlSq=`nUJ*9u9IyymItyn!ba7;^0@L
z_`k4EtF3<_!aQIK_4+6mCc9eYAXjp>V%ADViW{v`mzc}e15mOA22xH0pF(j?3#Ede
zL6s*O#PjQFzy7y!BNxg+)i%A@Rl1D&%Q9tV#6F2f`@g~9RSAq9?kh|eoL`v|#Ii7I
zJhI@5yPP`c)9GX@0J|1I!yFrbMiziQveQ~dZ{D<BN(pWl=Y(;l;JP#<rj&o32(ly;
z=5QumOtDT5jx(?deO(;jDWOCWkY&U?!GkJ=o9OL_51ry#B%r)H2qI)}Wuo(qhQn9=
zYU^(@5|ZV{C8wbeA0xG`LLGiotC_5;{GfaFTAD>l=tloyO$bEh9!^Vta!i3xrG{t|
zer5E=L6PNF<}nAIM68;e3LB#BEwoxycyOKkh*m47(yZ_ttyU*Fm}yd9e&VJ{0ec|K
z_%N)I9MMZ<si9wPq?vdR&N;i_T$Ls+!F9PGOaz}1S|De26M%z~l)ohEKLeCkxzFph
z?dWtBK4CFs{w%Ny6A*-ddzavH=0!(-%8r^23TIyJ{%IF%alv$54uw3C5Esnc7^O7L
zTSS;kL$4|L-$H*OmMrt@^(vRde16b+QD5khZCq)@g3K=@m^R>9$d$;WI%-5UpHEwh
zX}&{-XlcAS&m*fbv&@Ti;zhPUaqdQpY#fAKOr*$1*JW>{c^&J2u+ugmj4d#<2DUyA
z^I0L+L@K!lP(F_IzdOM&&iUCjxS`6SwiyU0*J}ZyLQf?+sN@^3d)B2Q-`+O9xYjaq
zFdy4odUmCa{lCD%0|wr%--6g;{|^RsIseBVkH<&*{}3f_|4$>Uc<liAC!f}MyBi6{
zjBm|MiHnwclc8RJawXs(XgPN2i$w?-3!uIw7v1P=HXIaismvsI`K5jegSo&SRJ)t{
zLe&gn%f@h!KHo#v1@ORoiKZ~)0?fENzKbQCWiE!zCjK4P3)Of8+OJ5_(63XVS|hQG
znwQhUd$ye_UIHS<QmIvW4r>EzKf2Pr6q(#O^^TF`YA0EL9diQ}rzKJH+v)f}Y90T_
zQZ{UoM_<+Un>uQ}f0H@C;pHH2(&xrVokHldk#sd)A|qal=tn|eSQA)OlguyrX$H~X
z+dm8(DjpkJMIZVneg*6gBeC^X$<<Us@sY`bJ{u;B$7u5K=_|awU*omnkzGXAuE|No
zb(V!YypuV9sFRoIBnEPF-%HK9tDJ{kl>Oc6w19S}yPcN8vdtM+-j;0fOTeGpF<VBQ
zf%?kD6=CxV9i8hYEl6r+k_ZPgb}U7ITOyvGX+dPx=e~c05MgrxGRsMh>!4bt&-70>
z0c7>>^_$7lnSOX|73@(<8~uNs_?veh5zbmB0B?<d|LF}X`M<~Se;%gX@zB_N8h#x`
zwZ7`x^<-@knpz)P%(?Iquj7_9(-_^|;v-RA;Abfau^6G4M1}6M|84od5cpHKX&VB7
zw(<X{H>||}jE>*`I7r!n{~sdoX9GpGmj=73l+_5KTAB1r!-LxJe|Ftba|hDKC%8TS
zuN?n>I~a|R{C|+L$vW99hnMK4HCNX-{1|{|;`sJ0_eE@dTW2<d)Yo-uvm%QdFq50|
zb(Da@Vh&2*?N?$1ilIa;*W$7FxvAWN{}V?<A@;Y`mB2Rs?++^cKO7$Y{|6~|^-k<5
i!nZa1Klb_@%ds5Gu{_uE-v9sr|Nj<f_Z|QPXaE2c9hBn$

diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/Chart.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/Chart.yaml
index 587d76d00a..a9f2f70209 100644
--- a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/Chart.yaml
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/Chart.yaml
@@ -1,6 +1,7 @@
 annotations:
   catalog.cattle.io/certified: rancher
   catalog.cattle.io/display-name: Rancher Provisioning CAPI Controller Manager
+  catalog.cattle.io/hidden: "true"
   catalog.cattle.io/kube-version: '>=1.23.0-0'
   catalog.cattle.io/namespace: cattle-provisioning-capi-system
   catalog.cattle.io/os: linux
diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/hardened.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/hardened.yaml
index 933dfb86a7..c56951b43d 100644
--- a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/hardened.yaml
+++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/hardened.yaml
@@ -29,7 +29,6 @@ spec:
           command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
           args: ["-n", "{{ .Release.Namespace }}"]
 ---
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
diff --git a/index.yaml b/index.yaml
index 0a1a7f88ac..8fb14dba1e 100755
--- a/index.yaml
+++ b/index.yaml
@@ -13548,6 +13548,7 @@ entries:
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/display-name: Rancher Provisioning CAPI Controller Manager
+      catalog.cattle.io/hidden: "true"
       catalog.cattle.io/kube-version: '>=1.23.0-0'
       catalog.cattle.io/namespace: cattle-provisioning-capi-system
       catalog.cattle.io/os: linux
@@ -13557,9 +13558,9 @@ entries:
       catalog.cattle.io/release-name: rancher-provisioning-capi
     apiVersion: v1
     appVersion: 1.4.4
-    created: "2023-07-24T13:05:39.150204-07:00"
+    created: "2023-07-25T15:13:25.7396-07:00"
     description: capi-controller-manager compatible with Rancher Provisioning
-    digest: a750fa212369dbe092f1d5731ac568d160d14844c7e392a55e61b4e757e0821c
+    digest: 40721dd822b35c4e8c8de0117f0989334a5dd4b19dfb274f6ffd52f8bb8fd7f0
     home: https://github.com/rancher/provisioning/blob/main/charts/capi/
     maintainers:
     - email: chris.kim@suse.com